April 30, 2015

April 10, 2015

Please reload

Recent Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Featured Posts

Latest Zero-Day: Strike While the Iron’s Hot

January 14, 2010

I think George Kurtz summed it up, "wow." This isn't the blog to follow late breaking developments of the Google et al. hacks (one of my favorites is the Register). This is the blog to discuss how best to use this data as evidence in your risk and mitigation prioritization.


When managing risk teams I had a saying, find the smoking guns, strike while the iron's hot. Metaphors aside, including real evidence in your story is required and the evidence doesn't always have to be from your environment. What's useful about multi-vector attacks (social engineering, software exploitation, detection evasion, etc.) is their utility in your prioritization story.


The key is to pragmatically apply the attack/evidence to your current control posture. Lay out the attack path and compare against your known strengths and weaknesses. This is helpful on two fronts. First, your execs are probably asking you right now "are we vulnerable to ?" Second, given your control weaknesses, how does apply to your risk prioritization and control posture?


Since I don't know the facts on Aurora, this is purely anecdotal for discussion:


- user receives email/chat with hyperlinks to exploitation servers


- user is owned for using IE 6 or other versions of IE (usually this is old version software package x.x)


- malware executes requiring admin permissions (for this example)


- attack traffic has un/known IDS signature


So depending on your strengths in these areas, you can show how each risk/control maps on your heatmap of impact/likelihood to communicate your current exposure and empower your mitigation decisions. Continuing the example:


- html/rich text pointing to evil/rooted servers: do you only allow plain text, white list, subscribe to fwd proxy black list, etc.


- browser vendor/version: if IE 6 is still your standard, hallelujah! another great piece of evidence to upgrade already. I won't go into IE vs. FF... If this isn't a 0 day, more great evidence to close the loop on the patch process.


- user permissions: what's your standard, enforcement, and measurement of local admin? Great opportunity to build a closed loop enforcement/exception process if you've let this get away from you. This might even apply to your IT desktop upgrade timeline.


- detection, host and network: how mature is your detection service, are you connected with the intel community to write or receive new sigs, do you require the expertise in-house, etc. What are your statistics with similar incidents?


- response: if you're compromised like those with Aurora, can you tell your business leaders you can respond and limit exposure, respond to the media, law enforcement, etc.


I used to create a threat specific summary and heatmap for the execs as soon as news like this broke (assuming you're not in IR mode). Hopefully you already have the assessment complete or are communicating updates. Being prepared for this is another great example why investing in a proactive security service is more valuable than a reactive approach. Use this aurora anecdote. It's gold.


With emphasis: I don't mean to be insensitive to all the teams working around the clock right now. I just want to emphasize how this can be used for the greater good. This is your time to shine - strike while the iron's hot.

Share on Facebook
Share on Twitter
Please reload

Follow Us

I'm busy working on my blog posts. Watch this space!

Please reload

Search By Tags